RE: Emulate real ip's to access intranet hosts from outside
IMHO, putting a box on the interweb has security implications. But
port-forwarding in itself isn't exactly a security problem. I use port
forwarding to forward packets do a dmz, so on the off-chance that I am
r00t'd, all they have access to is the dmz. They still would have to be
real sneaky to get into my internal network, unless they can exploit the
firewall which isn't running any services.
>From my understanding, using port forwarding into a dmz is a very good
idea. Running services on your firewall is a much greater risk than port
forwarding, since if the firewall is r00t'd, then they control the
access point to the interweb and can sniff user/pass at will, and do
whatever else they feel inclined to do.
Not trying to start a huge thread or a flame, but pointing out that
port-forwarding in itself doesn't have any security implications, it's
the implementation of port-forwarding that can have security
implications.
My .03, adjusted for inflation
Steven
"exitus acta probat"
"fide, sed cui vide"
-----Original Message-----
From: Phillip Hofmeister [mailto:plhofmei@svsu.edu]
Sent: Wednesday, February 13, 2002 6:42 AM
To: ramon.acedo@upcnet.es
Cc: debian-security@lists.debian.org
Subject: Re: Emulate real ip's to access intranet hosts from outside
I think it is worth pointing out that port-forwarding has security
implications. If one of your services is compromised (even if it is not
running as root) the attacker now has a good amount of access to your
local/internal network. I would only forward ports when absolutely
needed and only to a service that I absolutely trusted.
Phil
Reply to: